From 383b280531a92a8b81d112a9acb4e44c08987be0 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Tue, 14 Jul 2020 23:26:11 +0200 Subject: added frida gum extension --- examples/afl_frida/README.md | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 examples/afl_frida/README.md (limited to 'examples/afl_frida/README.md') diff --git a/examples/afl_frida/README.md b/examples/afl_frida/README.md new file mode 100644 index 00000000..93e8f35a --- /dev/null +++ b/examples/afl_frida/README.md @@ -0,0 +1,38 @@ +# afl-frida - faster fuzzing of binary-only libraries + +## Introduction + +afl-frida is an example skeleton file which can easily be used to fuzz +a closed source library. + +It requires less memory and is x5-10 faster than qemu_mode but does not +provide interesting features like compcov or cmplog. + +## How-to + +### Modify afl-frida.c + +Read and modify afl-frida.c then `make`. +To adapt afl-frida.c to your needs, read the header of the file and then +search and edit the `STEP 1`, `STEP 2` and `STEP 3` locations. + +### Fuzzing + +Example (after modifying afl-frida.c to your needs and compile it): +``` +afl-fuzz -i in -o out -- ./afl-frida +``` +(or even remote via afl-network-proxy). + +### Testing and debugging + +For testing/debugging you can try: +``` +make DEBUG=1 +AFL_DEBUG=1 gdb ./afl-frida +``` +and then you can easily set breakpoints to "breakpoint" and "fuzz". + +# Background + +This code ist copied for a larger part from https://github.com/meme/hotwax -- cgit 1.4.1 From a8726b8254f2f8c429c8b3e1c2d30b9f7baa6e93 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 15 Jul 2020 00:08:38 +0200 Subject: ensure afl-frida uses persistent mode --- docs/Changelog.md | 2 ++ examples/afl_frida/README.md | 10 +++------- examples/afl_frida/afl-frida.c | 8 ++++++++ 3 files changed, 13 insertions(+), 7 deletions(-) (limited to 'examples/afl_frida/README.md') diff --git a/docs/Changelog.md b/docs/Changelog.md index 8fb85ce6..50f5629f 100644 --- a/docs/Changelog.md +++ b/docs/Changelog.md @@ -18,6 +18,8 @@ sending a mail to . - LTO: autodictionary mode is a default - LTO: instrim instrumentation disabled, only classic support used as it is always better + - added afl-frida gum solution to examples/afl_frida (mostly imported + from https://github.com/meme/hotwax/) - small fixes to afl-plot, afl-whatsup and man page creation diff --git a/examples/afl_frida/README.md b/examples/afl_frida/README.md index 93e8f35a..33bd67c8 100644 --- a/examples/afl_frida/README.md +++ b/examples/afl_frida/README.md @@ -24,14 +24,10 @@ afl-fuzz -i in -o out -- ./afl-frida ``` (or even remote via afl-network-proxy). -### Testing and debugging +# Speed and stability -For testing/debugging you can try: -``` -make DEBUG=1 -AFL_DEBUG=1 gdb ./afl-frida -``` -and then you can easily set breakpoints to "breakpoint" and "fuzz". +The speed is very good, about x12 of fork() qemu_mode. +However the stability is low. Reason is currently unknown. # Background diff --git a/examples/afl_frida/afl-frida.c b/examples/afl_frida/afl-frida.c index c24e05b7..ff10ffb7 100644 --- a/examples/afl_frida/afl-frida.c +++ b/examples/afl_frida/afl-frida.c @@ -39,6 +39,7 @@ #ifndef __APPLE__ #include + #include #endif @@ -216,6 +217,10 @@ static int enumerate_ranges(const GumRangeDetails *details, int main() { +#ifndef __APPLE__ + (void)personality(ADDR_NO_RANDOMIZE); // disable ASLR +#endif + // STEP 2: load the library you want to fuzz and lookup the functions, // inclusive of the cleanup functions. // If there is just one function, then there is nothing to change @@ -264,6 +269,9 @@ int main() { GumEventSink *event_sink = gum_fake_event_sink_new(); + // to ensure that the signatures are not optimized out + memcpy(__afl_area_ptr, (void*)AFL_PERSISTENT, sizeof(AFL_PERSISTENT) + 1); + memcpy(__afl_area_ptr + 32, (void*)AFL_DEFER_FORKSVR, sizeof(AFL_DEFER_FORKSVR) + 1); __afl_manual_init(); // -- cgit 1.4.1 From 133dfc8b69ece83bd7b1e59e81f09815ff5b8e44 Mon Sep 17 00:00:00 2001 From: van Hauser Date: Wed, 15 Jul 2020 10:32:07 +0200 Subject: update documentation --- examples/afl_frida/README.md | 2 +- examples/afl_untracer/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'examples/afl_frida/README.md') diff --git a/examples/afl_frida/README.md b/examples/afl_frida/README.md index 33bd67c8..1ee19a68 100644 --- a/examples/afl_frida/README.md +++ b/examples/afl_frida/README.md @@ -20,7 +20,7 @@ search and edit the `STEP 1`, `STEP 2` and `STEP 3` locations. Example (after modifying afl-frida.c to your needs and compile it): ``` -afl-fuzz -i in -o out -- ./afl-frida +LD_LIBRARY_PATH=/path/to/the/target/library afl-fuzz -i in -o out -- ./afl-frida ``` (or even remote via afl-network-proxy). diff --git a/examples/afl_untracer/README.md b/examples/afl_untracer/README.md index 9cb13527..ada0c916 100644 --- a/examples/afl_untracer/README.md +++ b/examples/afl_untracer/README.md @@ -39,7 +39,7 @@ The file is created at `~/Desktop/patches.txt` Example (after modifying afl-untracer.c to your needs, compiling and creating patches.txt): ``` -AFL_UNTRACER_FILE=./patches.txt afl-fuzz -i in -o out -- ./afl-untracer +LD_LIBRARY_PATH=/path/to/target/library AFL_UNTRACER_FILE=./patches.txt afl-fuzz -i in -o out -- ./afl-untracer ``` (or even remote via afl-network-proxy). -- cgit 1.4.1